cschantz
49b0bf3a90
Improve attack signature scoring for faster blocking
Issues Fixed:
1. SUSPICIOUS_UA under-valued (+10 → +15)
- Automation tools now block in 6 hits instead of 8
- Matches severity of SQL injection and path traversal
2. BOT_FINGERPRINT under-valued (+8 → +15)
- Headless browsers now properly scored as HIGH risk
- Blocks in 6 hits instead of 10
3. Suspicious bot penalty increased (+10 → +15)
- Consistent with new SUSPICIOUS_UA scoring
- Faster blocking of malicious automation
4. Legit bot penalty exploit fixed
- Score reduction (-5) now ONLY applies if NO attacks detected
- Prevents spoofed Googlebot/legitimate UAs from avoiding blocks
- Attack detection overrides bot classification
Impact:
Before:
- SUSPICIOUS_UA: 8 hits to auto-block (score 80)
- BOT_FINGERPRINT: 10 hits to auto-block
- Spoofed Googlebot with attacks: Could avoid blocking
After:
- SUSPICIOUS_UA: 6 hits to auto-block (score 90)
- BOT_FINGERPRINT: 6 hits to auto-block (score 90)
- Spoofed legitimate UAs: No penalty if attacks present
- Faster response to automation attacks
Real-World Example:
IP with python-requests UA making SQL injection attempts:
- Old: +10 (SUSPICIOUS_UA) +10 (suspicious bot) = 20 per hit
- New: +15 (SUSPICIOUS_UA) +15 (suspicious bot) = 30 per hit
- Result: Blocks in 3 hits instead of 4
2026-01-06 17:28:35 -05:00
..
2026-01-06 17:28:35 -05:00
2026-01-02 16:23:17 -05:00
2025-11-13 23:01:13 -05:00
2025-12-17 01:35:48 -05:00
2026-01-02 17:26:21 -05:00
2026-01-02 17:21:19 -05:00
2026-01-02 16:39:57 -05:00
2025-12-04 16:17:59 -05:00
2026-01-02 17:26:21 -05:00
2025-12-12 17:08:17 -05:00
2025-12-12 23:15:12 -05:00
2025-12-11 21:19:26 -05:00
2026-01-02 17:26:21 -05:00
2026-01-02 16:23:17 -05:00
2026-01-02 17:34:56 -05:00
2026-01-02 17:26:21 -05:00
2025-12-03 20:49:46 -05:00
2026-01-02 17:34:56 -05:00